Trusted and Untrusted Sources

DHCP snooping identifyies ports as trusted or untrusted. When the feature is enabled, by default all vEthernet ports are untrusted and all ethernet ports (uplinks), port channels, special vEthernet ports (used by other features, such as VSD, for their operation) are trusted.You can configure whether DHCP trusts traffic sources.

In an enterprise network, a trusted source is a device that is under your administrative control. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the Cisco Nexus 1000V, you indicate that a source is trusted by configuring the trust state of its connecting interface. Uplink ports, as defined with the uplink capability on port profiles, are trusted and cannot be configured to be untrusted. This restriction prevents the uplink from being shut down for not conforming to rate limits or DHCP responses.

You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network or if the administrator is running the DHCP server in a VM. You usually do not configure host port interfaces as trusted.

Note For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces.

DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database on each VEM. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

Note The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

DHCP snooping updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a DHCPRELEASE or DHCP DECLINE from the DHCP client or a DHCPNACK from the DHCP server.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

You can remove dynamically added entries from the binding database by using the clear ip dhcp snooping binding command. For more information, see the "Monitoring DHCP Snooping" section.

High Availability

The DHCP snooping binding table and all database entries created on the VEM are exported to the VSM and are persistent across VSM reboots.

Prerequisites for DHCP Snooping

DHCP snooping has the following prerequisites:

•You must be familiar with DHCP to configure DHCP snooping.

Guidelines and Limitations

DHCP snooping has the following configuration guidelines and limitations:

•A DHCP snooping database is stored on each VEM and can contain up to 1024 bindings.

•For seamless DHCP snooping, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.

•If the VSM uses the VEM for connectivity (that is, the VSM has its VSM AIPC, management, and inband ports on a particular VEM), these virtual Ethernet interfaces must be configured as trusted interfaces.

•The connecting interfaces on a device upstream from the Cisco Nexus 1000V must be configured as trusted if DHCP snooping is enabled on the device.

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Snooping on a VLAN

Use this procedure to enable or disable DHCP snooping on one or more VLANs.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

•You are logged in to the CLI in EXEC mode.

•By default, DHCP snooping is disabled on all VLANs.

SUMMARY STEPS

1. config t

2. [no] ip dhcp snoopingvlanvlan-list

3. show running-config dhcp

4. copy running-config startup-config

DETAILED STEPS

Command

Purpose

Step 1

config t

Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2

[no] ipdhcp snooping vlan vlan-list

Example:

n1000v(config)# ip dhcp snooping vlan 100,200,250-252

Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables DHCP snooping on the VLANs specified.

Step 3

showrunning-config dhcp

Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 4

copy running-config startup-config

Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Snooping MAC Address Verification

Use this procedure to enable or disable DHCP snooping MAC address verification. If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.